| vicente | I am ready when you are :) |
| fernand0 | ok, lets go |
| fernand0 | Hello |
| fernand0 | it is our pleasure to have today here Mr. Vicente Aceituno. He is member |
| fernand0 | of ISECOM, The Institute for Security and Open Methodologies |
| fernand0 | (visit |
| fernand0 | them: http://www.isecom.org/ |
| fernand0 | _later_ :) |
| fernand0 | ) |
| fernand0 | He is the author of ISM3 1.0. - |
| fernand0 | Information Security Management Maturity Model and he is going to talk |
| fernand0 | about it here. |
| fernand0 | He has written a book on security: "Seguridad de la Información", Creaciones Copyright. Only in Spanish at the moment, sorry. |
| fernand0 | |
| fernand0 | The talk will be here. We will try to provide translation in #redes, and |
| fernand0 | the channel for questions and comments is #qc. |
| fernand0 | |
| fernand0 | La presentación será en este canal. Trataremos de hacer la traducción en |
| fernand0 | #redes, y hemos habilitado #qc para preguntas y comentarios. |
| fernand0 | |
| fernand0 | vicente ... |
| vicente | Thanks, fernand0 |
| vicente | Well, I'd like to talk first about |
| vicente | the motivation to write ISM3 |
| vicente | I findother |
| vicente | ISMS standards |
| vicente | to have |
| vicente | points of view that aim |
| vicente | for invulnerability |
| vicente | Which I think is both wrong |
| vicente | and discouraging for thos who CAN do something |
| vicente | about their infosec |
| vicente | but don't have a lot of resources. |
| vicente | The first good idea |
| vicente | I gathered for ISM3 |
| vicente | was the CMM maturity levels |
| vicente | that many of you will know |
| vicente | A second important point |
| vicente | was the wide difference between |
| vicente | ISO9001 and BS7799-2 certifications |
| vicente | When companies are good at somethinf |
| vicente | they like to show it |
| vicente | There are around 450000 |
| vicente | companies ISO9001 certified, while less than |
| vicente | a thousand are BS7799-2 certified |
| vicente | BS7799-2 by the way, was the only ISMS |
| vicente | that was accreditable |
| vicente | So ISO9001 is important too |
| vicente | It goes without saying |
| vicente | that management systems have limitations |
| vicente | They more |
| vicente | cited one is that they don't |
| vicente | guarantee results. |
| vicente | But the same way an MBA means you know |
| vicente | about business, that doesn't mean |
| vicente | you will be successful at business |
| vicente | An accredited ISMS says you |
| vicente | are doing something to have repeatable |
| vicente | and improving process |
| vicente | where mistakes are not repeated over and over again. |
| vicente | I think a ISMS should help you all the way |
| vicente | Saying What, Why, Where, When, etc. |
| vicente | ISM3 works out to answer most of these questions... |
| vicente | while taking into consideration that resources are not infinte |
| vicente | and that every organization has a different threat scenario. |
| vicente | Another important thing about ISM3 |
| vicente | is that the confidenciality, avaliability, integrity paradigm is dropped |
| vicente | as it is nearly worhtless to solve security problems |
| vicente | I hope this is shocking for most of you. |
| vicente | The traditional definition of a security incident is |
| vicente | a failure to provide CIA |
| vicente | In ISM3 terms, an incident is a failure to meet a security objective. |
| vicente | Security objectives are organization and threat scenario dependent |
| vicente | Let's imagine a small organization without any worthwhile secrets. |
| vicente | Instead of analyzing possible Confidencilaity loss problems, |
| vicente | that would later be dropped as irrelevant... |
| vicente | secrecy is never brought into the analysis |
| vicente | because is wouldn't be a security objective of the organization. |
| vicente | ISM3 helps to know |
| vicente | who should perform each process |
| vicente | using three management levels |
| vicente | strategic, tactical and operational |
| vicente | BSA is probably not very popular here... |
| vicente | but on of thier documents on informatiopn security governance brung this STO idea, |
| vicente | which I find very useful to determine security responsibilites. |
| vicente | strategy sets direction and provides resorurces... |
| vicente | tactics manage the resources |
| vicente | and operations do the real work preventing and mitigating incidents. |
| vicente | Another good thing about ISM3 |
| vicente | is that it describes processes. |
| vicente | and the documents that define them |
| vicente | in such a way that paticular activities or their frequency are not specified. |
| vicente | This makes ISM3 compatible with all current best practices in the security field |
| vicente | So you don't have top drop all your ISMS to adapt to ISM3 |
| vicente | As documentation is specified with ISO9001 in mind |
| vicente | You can accredit ISM3 the same way you accredit any other quality management system |
| vicente | Well,,, |
| vicente | I think I am ready for some questions. |
| vicente | Questions and Answers in the #qc channel |
| vicente | Ok, as there no qa, I'll caryy on. |
| vicente | Metrics are measured |
| vicente | in ISM3 using Security Targest |
| vicente | While Security Objectives are qualitative |
| vicente | Security Targets are quantitative. |
| vicente | For example, you might state "Losses due to malware won't exceed 5000 euro a year" |
| vicente | Using security targets you know |
| vicente | if your ISMS is working or not |
| vicente | Whereas when you aim for invulnerability |
| vicente | and there's an incident... |
| vicente | Is the ISMS working? Or there is a certain rate of incidents you can expect no matter what you do? |
| vicente | You can adjust your investment |
| vicente | in security using security targets. |
| vicente | , avoiding to be trapped inm FUD tactics |
| vicente | "buy this or horrible things will happen to your company" |
| vicente | ISM3 has four maturity levels |
| vicente | but these are not compulsory. |
| vicente | Every company must choose what are the processes best suited |
| vicente | to their resources and threat profile. |
| vicente | Maturity levels just describe somehow |
| vicente | consistent ISM systems that are accreditable. |
| vicente | For example Level 1 has teh following processes: |
| vicente | SSP-1 Report to Stakeholders |
| vicente | SSP-2 Coordination. |
| vicente | SSP-3 Strategic vision. |
| vicente | SSP-6 Allocate resources for information security. |
| vicente | TSP-1 Report to strategic management. |
| vicente | TSP-2 Manage allocated resources. |
| vicente | TSP-3 Define Security Targets. |
| vicente | TSP-12 Select Specific Processes. |
| vicente | OSP-1 Report to tactical management. |
| vicente | OSP-5 Environment Patching. |
| vicente | OSP-10 Backup & Redundancy Management. |
| vicente | OSP-16 Segmentation and Filtering Management. |
| vicente | OSP-17 Malware Protection Management. |
| vicente | Most of these are managerial stuff |
| vicente | But if you run a small company, What are the most important things you can do for your security? |
| vicente | Backup |
| vicente | Use anti-malware |
| vicente | Patch |
| vicente | Firewall |
| vicente | Using ISM3 you could accredit that you are doing all the important things, while devoting a minimum of resources. |
| vicente | So your company is not invulnerable, but it is reasobly well protected. |
| vicente | And you can show it |
| vicente | To bring this to a closure |
| vicente | I'd like to tell you about TPSRSR |
| vicente | Separation of duties is popular |
| vicente | But to prevent Fraud |
| vicente | Corruption, Theft, etc |
| vicente | business processes need to go beyond that |
| vicente | TPSRSR stands for Transparency, Partitioning, Separation and Rotation of Responsibilities |
| vicente | Transparency helps fight corruption |
| vicente | Partitioning helps prevent that important responsibilities are allocated to multiple roles, or none |
| vicente | Separation helps prevent that a business process is subverted by a single person |
| vicente | And Rotation makes more difficult for people with separated responsibilities to collaborate to exploit business processes in their benefit. |
| vicente | For more information, visit isecom.org |
| vicente | My personal web page, by the way is http://www.seguridaddelainformacion.com/seg_0e.htm (Advice on PC security) |
| MJesus | clap clap clap clap clap clap clap clap clap clap |
| MJesus | clap clap clap clap clap clap clap clap clap clap |
| MJesus | clap clap clap clap clap clap clap clap clap clap |
| MJesus | clap clap clap clap clap clap clap clap clap clap |
| RaD|Tz | http://solobsd.org |
| damage | bravo |
| fernand0 | plas plas plas plas plas plas plas plas plas plas |
| fernand0 | plas plas plas plas plas plas plas plas plas plas |
| fernand0 | plas plas plas plas plas plas plas plas plas plas |
| fernand0 | plas plas plas plas plas plas plas plas plas plas |
| felix | jaime: unlog |
The Organizing Comittee
